Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ylli_Seitaj
Staff
Staff

Created on ‎03-24-2025 04:30 AM Edited on ‎08-15-2025 05:57 AM By Moderator

Article Id 383703

Technical Tip: How to allow iCloud private relay

Description This article describes how to configure the FortiGate Firewall to allow iCloud Private Relay.
Scope FortiGate.
Solution

Go to: 'Policy & Objects' -> 'Firewall Policy' and select 'Create new' to create a new Firewall Policy. Since there is no specific Internet Service for iCloud Private Relay, select all Apple Internet Services as destinations.

 

Screenshot_1.png

 

After adding the Apple Internet Service, the Firewall Policy will look as below:

 
Screenshot_2.png

 

Select OK, and the Firewall Policy will be created.

 

Note:

Make sure this policy is on top of other policies for traffic to hit this and allow traffic as required.

 

Additionally, add a different firewall policy with the list of URLs:

  • configuration.ls.apple.com
  • gateway.icloud.com
  • gsp85-ssl.ls.apple.com
  • iphone-Id.apple.com
  • mask-api.icloud.com
  • mask-t.apple-dns.net
  • mask.icloud.com
  • mask-h2.icloud.com

Use this CLI template over the CLI console to create all the relevant address objects, and an address object group "iCloud_PR_group":

 

config firewall address
    edit 'configuration.ls.apple.com'
        set type fqdn
        set fqdn "configuration.ls.apple.com"
    next
    edit 'gateway.icloud.com'
        set type fqdn
        set fqdn "gateway.icloud.com"
    next
    edit 'gsp85-ssl.ls.apple.com'
        set type fqdn
        set fqdn "gsp85-ssl.ls.apple.com"
    next
    edit 'iphone-Id.apple.com'
        set type fqdn
        set fqdn "iphone-Id.apple.com"
    next
    edit 'mask-t.apple-dns.net'
        set type fqdn
        set fqdn "mask-t.apple-dns.net"
    next
    edit 'mask.icloud.com'
        set type fqdn
        set fqdn "mask.icloud.com"
    next
    edit 'mask-h2.icloud.com'
        set type fqdn
        set fqdn "mask-h2.icloud.com"
    next
    edit 'mask-api.icloud.com'
        set type fqdn
        set fqdn "mask-api.icloud.com"
    next
end
config firewall addrgrp
    edit 'iCloud_PR_group'
        set member configuration.ls.apple.com gateway.icloud.com gsp85-ssl.ls.apple.com iphone-Id.apple.com mask-t.apple-dns.net mask.icloud.com mask-h2.icloud.com mask-api.icloud.com
    next
end

config firewall policy

    edit 2 <----- Policy ID.

        set name "Apple-Private-Relay-Allow"

        set srcintf "TEST123"

        set dstintf "wan" <----- Internet facing interface.

        set action accept

        set srcaddr all <----- Could be specific internal addresses.

        set dstaddr "iCloud_PR_group" <----- Should match the address group created above.

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

     end


There is another way to allow internet while iCloud private relay is being used on end devices. Refer to Troubleshooting Tip: How to fix 'SSL connection is blocked due to unable to retrieve servers certifi... and allow cert-probe-failure in the SSL/SSH profile.

 

Related article:

Technical Tip: How to block iCloud Private Relay from bypassing the Security Inspection 
3778
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.